Project Description:Windows binary malware has come a long way. Today's average worm is often tens or hundreds of kilobytes of code exhibiting a level of complexity that surpasses even some operating systems. This degree of complexity, coupled with the overwhelming flow of new malware, calls for improvements to tools and techniques used in analysis.

F-Secure produced this rich 3D animation that visualizes the structure and execution of the W32/Bagle.AG@mm worm. The boxes in the picture are functions of the worm. The one on the top is the 'main' where the execution starts. The first ring contains all the functions that 'main' calls. The second all the functions that the ones on the first ones call and so on. All connecting lines represent the calls from one function to the other. Red boxes belong to the virus code while the blue ones are API calls library code that do not belong to the malicious code. The animation was created using IDA Pro, IDAPython, Blender and other custom scripts.